INTRODUCTION TO L2VPNS

INTRODUCTION TO L2VPNS 4

Introduction to Layer 2 and Layer 3 VPN Services CE Layer 3 VPN Link Comprised of IP Traffic Passed Over IP Backbone LEGEND Layer 3 VPN Layer 2 VPN CE CE PE IP Backbone PE CE Layer 2 VPN Which Passes Ethernet, ATM, Frame Relay, PPP, HDLC Traffic Over IP Backbone Layer 2 and Layer 3 VPN Services are offered from the edge of a network 11

VPN Technology Variants: VPN Forwarding Decisions, SP Relationship What Information Is Relevant in Forwarding Customer Traffic? LAYER 3 VPNS LAYER 2 VPNS Provider devices forward customer packets based on Layer 3 information (e.g., IP) SP involvement in routing MPLS/BGP VPNs (RFC 2547), MPLS VPN over IP, GRE, virtual router approaches Provider devices forward customer packets based on Layer 2 information Tunnels, circuits, LSPs, MAC address pseudowire concept 12

What Is an L2VPN? L2VPN Network Service Functions L2VPN VPWS Virtual Private Wire Service Point-to-Point Switched Frame Transport Over a Pseudowire VPLS Virtual Private LAN Service Any-to-Any Switched Frame Transport Service Over a Pseudowire Using Customer MACs for Forwarding Directory Peer Discovery Attachment and Extension VCs Network Management Pseudowires Multipoint Replication FR QoS AToM QoS ATM (AAL5 and Cell) High Availability L2TPv3 High Availability Ethernet Security Security PPP / HDLC Interworking 13

VPWS Reference Model Customer Site PSN Tunnel Customer Site PWES PE Pseudo Wires PE PWES Customer Site PWES PWES Customer Site Emulated Service A Pseudowire (PW) Is a Connection Between Two Provider Edge (PE) Devices Which Connects Two Pseudowire End-Services (PWESs) of the Same Type Service Types: Ethernet 802.1Q (VLAN) ATM VC or VP PWES HDLC PPP Frame Relay VC 15

Virtual Private Wire Service (VPWS): Customer Perspective CE1 CE2 CE5 CE3 CE4 Point-to-point connections between Provider Edge (PE) nodes Same look and feel as existing L2 PVCs (i.e., Frame Relay point-to-point) Service provider simply forwarding incoming frames based on Layer 2 information (i.e. DLCI, VLAN Tag, VPI/VCI, etc.) 16 16

VPLS Reference Model Customer Site PE PE Customer Site MPLS Full Mesh of Pseudowires Attachment VCs are Ethernet Customer Site A Full Mesh of Pseudowires (PW) Is Used to Connect All Provider Edge (PE) Devices Which Support a Given VPLS VPN 17

Virtual Private LAN Service (VPLS): Customer Perspective All PEs Appear Connected on a Common Switch CE1 CE3 CE2 CE4 Multipoint-to-multipoint configuration Forwarding of frames based on learned MAC addresses Uses a Virtual Switching Instances (VSI) for customer separation 18 18

Service Offerings: L2VPN Transport Services ATM Frame Relay Ethernet VPWS VPLS AAL5 over Pseudowire FR over Pseudowire Ethernet Relay Service (ERS) Ethernet Multipoint Service (EMS) Muxed UNI Cell Relay w/ packing over Pseudowire Muxed UNI PPP/HDLC over Pseudowire Muxed UNI Ethernet Wire Service (EWS) Unmuxed UNI Ethernet Relay Multipoint Service (ERMS) Muxed UNI OTHER VARIANTS Unmuxed UNI Unmuxed UNI Muxed UNI PPP/HDLC 19

L2 VPN Service Comparison Connection Type L2 Encap Types Routing Involvement by SP Customer Protocol Support Service Provider Core Protocol VPWS Point-to-Point (at L2) Any (FR, ATM/Cell, Ethernet/VLAN, HDLC, PPP) No Any IP and MPLS VPLS Multipoint-to- Multipoint (at L2) Ethernet Only No Any MPLS 20

Summary of Benefits for L2VPNs New Service Opportunities Virtual leased line Service Offer PVC like Layer 2 based service Reduced Cost Consolidate multiple core technologies into a single packet-based infrastructure Simplify Services Layer 2 transport provide options for Service Providers who need to provide L2 connectivity and maintain customer autonomy Protect Existing Investments Greenfield networks to extend customer access to existing Layer 2 networks without deploying an old-world infrastructure Feature Support Through the use of Cisco IOS features such as IPsec, QoS, and Traffic Engineering, L2 transport can be tailored to meet customer requirements 21

ANY TRANSPORT OVER MPLS (AToM) OVERVIEW 22

VPWS: Any Transport over MPLS (AToM) Frame Relay ATM Leased Line Ethernet AToM MPLS Core Frame Relay ATM Leased Line Ethernet AToM is Cisco s implementation of VPWS for MPLS networks Provides ability to transport layer 2 traffic such as ATM, FR, Ethernet, PPP, and HDLC across MPLS packet-based core networks A standards track open architecture allows extensibility to many transport types AToM, combined with Cisco IOS QoS and MPLS traffic engineering allows service provides to offer virtual leased line types of services Service provider does not participate in customer routing 23 23

VC Label Negotiation with Directed LDP LSP IP/MPLS Pseudo Wire CE PE1 Directed LDP PE2 CE 1. Attachment circuit configured with peer address and VC ID 2. PE1 starts directed LDP session with PE2 if one does not already exist 3. PE1 allocates VC label for new circuit and binds to configured VC ID Attachment Circuit 5. PE2 receives VC FEC TLV and VC label TLV that matches local VCID 6. PE2 repeats steps 1-5 so that bidirectional label/vcid mappings are established 4. PE1 sends LDP label mapping message containing VC FEC TLV and VC label TLV 24

AToM Traffic Encapsulation 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Tunnel Label Tunnel Label (LDP / RSVP) EXP 0 TTL VC Label VC Label (VC) EXP 1 TTL (set to 2) Control Word 0 0 0 0 Flags FRG Length Sequence number Layer 2 PDU Three-level encapsulation Packets switched between PEs using top (tunnel) label VC label identifies PW VC label negotiated between PE with directed LDP Optional control word carries Layer 2 control bits and enables sequencing Control Word Encap. Required CR No AAL5 Yes Eth No FR Yes HDLC No PPP No 25 25

AToM: XConnect CLI Components ldp-enabled - Defines LDP as label protocol - Globally defined Example: mpls label protocol ldp mpls ldp router-id loopback 0 force pseudowire-class (optional) - Characteristics template for PWs - Tunneling mechanism - Data plane encapsulation type pseudowire-class atom_default encapsulation mpls sequencing both Two Ways to Configure: - xconnect <target PE> - mpls l2transport route <target PE> interface FastEthernet5/1.500 encapsulation dot1q 500 service-policy input vlan-hi-priority xconnect 172.18.255.3 1002 pw-class foo 26

ATTACHMENT CIRCUITS 10998_04_2005_c1 2005 Cisco Systems, Inc. All rights reserved. 38

Frame Relay and ATM Support in AToM Frame Relay Two main transport modes: Port-to-Port or DLCI-to-DLCI LMIs carried transparently for Port-to-Port LMIs terminated for DLCI-to- DLCI with remote notifications via LDP Multiple FR encapsulation support Multiple LMI support ATM Two encapsulations: AAL5 and Cell Relay Single or multiple Cell Relay supported AAL5 supported in VC mode Cell Relay in VC/VP and Port modes OAM traffic carried transparently AAL5 mode may perform OAM emulation 39

Ethernet/HDLC/PPP Support in AToM Ethernet PPP/HDLC Two main transport modes: VLAN and Port VLAN mode requires 802.1q VLAN mode supports VLAN Id rewrite Support Ethernet Speed of 10/100/1000MBps No special restrictions on HDLC Traffic PEs do not participate in PPP negotiation PPP negotiation requires attachment circuit compatibility 40

PSEUDOWIRE REDUNDANCY 48

Pseudowire Service Failure Points CE1 PE1 Packet Switch Network (IP or MPLS) 1 PE2 CE2 Pseudowire 2 3 4 1 PSN failure due to end-to-end routing failure 2 PE failure due to HW or SW fault 3 Attachment circuit failure due to line break 4 CE failure due to HW or SW fault 49 49

Redundancy Problem Statement Service Provider desires to build in pseudowire redundancy so that if the service becomes unavailable, it can quickly be migrated over to another point in the service provider s network or the customer s network Let us assume that only one end of the network (e.g. hub site) justifies the allocation of redundancy This type of redundancy is end-to-end redundancy Can be used with other availability techniques such as SSO/NSF and FRR 50

Pseudowire Redundancy: Single Side Full Redundancy PE2a CE2a Packet Switch Network CE1 PE1 Primary Pseudowire Attachment Circuits Attachment Circuit IP or MPLS PE2b CE2b Redundant Pseudowire Pro: Addressed fault in four key areas of a PW Implementation Reduces the number of PW that must be active at a give time, thus scale impact is reduced when compare to the full redundancy solution Con: Redundant CE/PE required; this increases the cost of the solution 51 51

Redundancy Features Configure one redundant PE endpoint Switch to redundant PE based on failure detection mechanism. The failure mechanism must be able to detect a failure in PSN, remote PE, or remote PE-CE connection Ability to manually start the switchover to the redundant device After a failure, the implementation will be able to detect when a primary PE becomes available and switch back to that device Must support some type of dampening technique so as to not switch back and forth between PEs during periods of instability. The dampening algorithm allows for timers for switchover and fallback 52

Failure Identification Attachment circuit can be caused by interface condition (up/down/los) or integrated LMI notification Pseudowire failure for AToM is discovered by LDP timeout L2TPv3 pseudowire failure is identified by control plane keepalive failure In the near future we are looking at expediting the failure detection by using an automated BFD over pseudowire VCCV 53

L2VPN VPWS Redundancy CLI Configuration CLI: xconnect <ip-addr> <vcid> pw-class <name> backup peer <ip-addr> <vcid> <pw-class <x>> priority <value> backup delay <enable-delay> <disable-delay never> One-sided CLI, the redundancy information is only configured on the PE who sees multiple peers Multiple redundant peers may be specified, each peer may have a different priorities. enable-delay sets the amount of time a failure must persist before performing switchover disable-delay sets the amount of time the primary VC must be available before falling back to the primary VC never disables fallback to the primary after a switchover. Fallback will only occur if the secondary goes down Currently, all peers must be of the same type, i.e. MPLS pseudowires, or L2TP pseudowires No mix and match allowed. This is enforced by not allowing the pw-class encapsulation types to be different. Note, if the pw-class is not specified in the backup statements, it will be inherited from the parent xconnect 54

L2VPN VPWS Redundancy CLI (Cont.) manual switchover CLI: Router> xconnect backup force-switchover peer <ipaddr> <vcid> Router> xconnect backup force-switchover interface <ifcname> This new xconnect command is available from the exec prompt. The IP address and VCID should match the values of the xconnect the customer wishes to switch over to. When entered by the user, this command will locate the xconnect configuration associated with the IP address/vcid and will generate a switchover event to the redundancy manager for this VC 55